Oracle Blog

The Blog of Warren Strange

Thursday Feb 26, 2009

Following on the pioneering work of Robert Dale and Miguel Alonso I have updated the OpenSSO Spring provider with additional support for authorization. You can now use Spring security JSP tags, method security annotations and Spring method security point cuts.

Where to get it!

You can download the provider and a sample Spring application from the OpenSSO Extensions project page.

The package-info header is reproduced below:

Package com.sun.identity.provider.springsecurity Description

A Spring 2 Security provider for OpenSSO.

Provides authentication and authorization plugins for the Spring 2
Security framework. For an example of how to configure this module
refer to the
OpenSSO / Spring example

Authentication

The provider delegates authentication to the OpenSSO instance
configured in the applications AMConfig.properties. When a user tries to access an
application web page, the spring provider will check for a valid SSOToken. If the user
is not authenticated they will be redirected to OpenSSO. Once authentication
is complete, OpenSSO will redirect the user back to the application.

Upon authentication, a Spring UserDetails object is created for the user and
placed in the session.
This can be used by the application to query for the user principal and other
information. The spring security authentication tags can be used within a JSP,
as shown in the following example:

The Logged on Principal is <security:authentication property="principal.username"/>

Authorization - Web URL Policy

The provider delegates URL policy decisions to OpenSSO. This is
different than most Spring 2 providers where the URL policy is configured
in the application using annotations or spring XML configuration.

OpenSSO is queried for URL policy decisions, and will return
ALLOW, DENY or null. A null return means that OpenSSO does not have a policy for the requested
URL. The provider will return an ABSTAIN vote if the OpenSSO policy decision
is null. If you wish to implement a policy of "Deny that which is not explicity
permitted" you will want to use Springs
AffirmativeBased voter in your security configuration. This ensures that at least
one voter must "ALLOW" the request.

Authorization - Roles

Spring Security uses the concept of GrantedAuthorities which
are analagous to roles in OpenSSO. This provider converts
OpenSSO group (role) membership into Spring GrantedAuthorities. The current
implementation converts an OpenSSO group membership (for example "staff") into
a GrantedAuthority by concatenating the prefix "ROLE_" with
the upper cased group name.
For
example, if a user belongs to the OpenSSO groups "staff" and "admins", they
will be granted "ROLE_STAFF" and "ROLE_ADMINS" authorizations.

Authorizations can be used in JSPs using the Spring security tags. For
example, the following JSP snippet will output different results depending
on whether the user belongs to the staff group or not:

<security:authorize ifAllGranted="ROLE_STAFF">
<div align="left"><h2>Congrats!! You have the Staff role</h2></div>
</security:authorize>
<security:authorize ifNotGranted="ROLE_STAFF">
<div align="left"><h2>TOO BAD SO SAD - You do NOT have the Staff role</h2></div>
</security:authorize>

Authorizations can also be used to protect methods using Spring pointcuts or
annotations. The example below demonstrates using JSR security annotations: